dehuszar / hashistack-config Goto Github PK

Order to provision and run:

Nomad Clients

1. provision vault client config

2. provision vault client tls config

3. install vault client cert gen service

4. (if TLS is already enabled) provision starter certificate

5. build vault config

6. provision consul client config

7. provision consul client tls config

8. provision consul client token

9. build consul client tls

10. build consul client config

11. provision nomad client config

12. provision nomad client tls

13. build client cert gen service

14. build client config tls

15. install docker (and other) drivers

Consul Servers

Nomad Servers

Vault Servers

1. provision consul client config
2. provision consul gossip config
3. provision consul client certificates
4. provision consul token
5. provision vault server config
6. provision vault server tls
7. FINISH ME

Not sure why ansible $1 -b -a "complete -C /usr/local/bin/$2 $2" is not evaluating properly, but it is. Running the command directly from the local works fine.

In a "vault-first" approach, the script would deploy vault servers and their necessary env vars via ansible. Once Vault is running, a pre-ssl vault config would be deployed by terraform to the running cluster to enable tls (PKI engine config should thus live in it's own stack).

Because each service needs to talk to Vault to issue a TLS certificate for it, we need to wait to enable TLS on Vault so that all other services can properly bootstrap. To facilitate this, another script is run to deploy Nomad servers, Consul servers, and Nomad client configurations. The script would

• enable the cert-gen services across nodes
• issue certificates for each service
• build configurations for each service, and then boot them up
• trigger a terraform deploy of each service's configurations
• deploy tls-enabling env vars to each node (including Vault's)
• restart all services

At which point you can make a cocktail and kick back.